1 |
Hi! |
2 |
|
3 |
On Mon, Sep 29, 2008 at 06:46:18PM +0200, pageexec@××××××××.hu wrote: |
4 |
> maybe it's because of what you said: |
5 |
> > I've no idea why grsec complain in logs about it. |
6 |
> at this point it's clear that you didn't quite read the description of |
7 |
> GRKERNSEC_RESLOG which is what you've apparently enabled. in short, grsec |
8 |
> is doing what you asked it to do: log various resource overstep events. |
9 |
|
10 |
Not really. :) I know I enabled this item, and I understand what it does. |
11 |
The question is exactly "what's wrong with qmail-smtpd, why it hit |
12 |
resource limits?". |
13 |
|
14 |
> why those events occured is another question and each case needs its own |
15 |
> investigation. for example overstepping the default 8MB stack limit by |
16 |
> 180MB sounds like a memory corruption problem or something trying to pass |
17 |
> an inordinate amount of data on the stack (say, in the environment). |
18 |
> whether that was because of e.g., a bug in a script on your server or an |
19 |
> exploit attempt is hard to tell after the fact. also the AS limit overstep |
20 |
> is a known issue, qmail tries to be smart and fails to estimate its own |
21 |
> memory needs. |
22 |
|
23 |
Now I've smaller example. I've executed this command 10 times: |
24 |
perl -e 'exec "/bin/pwd"' |
25 |
and got 5 records in logs, listed below. |
26 |
Executing just: |
27 |
/bin/pwd |
28 |
or |
29 |
bash -c 'exec /bin/pwd' |
30 |
many times doesn't result in grsec alerts. |
31 |
If you wanna say "it's because of perl", I'd like to remind you - there |
32 |
was no perl scripts between tcpserver and qmail-smtpd before, the command |
33 |
looks this way: |
34 |
/usr/bin/tcpserver -p -v -R -x /etc/tcprules.d/tcp.qmail-smtp.cdb \ |
35 |
-c 40 -u 201 -g 200 0.0.0.0 smtp /var/qmail/bin/qmail-smtpd |
36 |
|
37 |
Didn't you think it's good idea to trace this issue? It may be a bug in |
38 |
grsec... anyway, usual hardened system shouldn't produce such a warnings |
39 |
in logs just because somebody call exec() from perl script or use qmail. |
40 |
|
41 |
2008-09-29_16:49:11.85806 kern.alert: grsec: denied resource overstep by requesting 110424064 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18143] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100 |
42 |
2008-09-29_16:49:17.16897 kern.alert: grsec: denied resource overstep by requesting 124620800 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18250] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100 |
43 |
2008-09-29_16:49:19.20874 kern.alert: grsec: denied resource overstep by requesting 137330688 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18300] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100 |
44 |
2008-09-29_16:49:21.16078 kern.alert: grsec: denied resource overstep by requesting 187035648 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18345] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100 |
45 |
2008-09-29_16:49:23.64000 kern.alert: grsec: denied resource overstep by requesting 146747392 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18398] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100 |
46 |
|
47 |
-- |
48 |
WBR, Alex. |